Adobe patches Flash - heads off in-the-wild attacks against Windows and Apple users

Filed Under: Adobe, Featured, Security threats, Vulnerability

Hot on the heels of Oracle's not-on-a-Tuesday emergency patch for Java comes a "Patch Thursday" update from Adobe.

This time it's Adobe's Flash player that gets an upgrade, and it sounds well worth applying as soon as you can.

The update heads off in-the-wild attacks against both Windows and Apple users.

A good bookmark for keeping track of Adobe's vulnerability-related notifications is the company's Security bulletins and advisories page. As I write this, it links you to Adobe Product Security Bulletin 13-04.

(No, I can't explain why software vendors are still shy of writing years with four digits. Yes, 2013-04 would be much more self-descriptive, although at least the month/year ambiguity is reduced now we're past 2012.)

Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.

Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

Mac fans often get agitated when we suggest that their platform might be vulnerable to malware attacks that don't require explicit user approval.

But even if we assume that Mac users are always well-informed enough to avoid clicking [OK] every time danger looms, this is a reminder that the cybercrooks (or Advanced Persistent Threatsters, if you prefer) consider Macs a fruitful and assailable target.

We're talking about RCE, or remote code execution, here.

That means a drive-by download, where the usual user interaction, warnings and safeguards in your software are bypassed so that merely reading a web page or viewing a document could result in a surreptitious background install.

Another good bookmark on Adobe's site is the About page. This uses a Flash object to see if you have a Flash Player installed, and will report the version number if you do.

You can then compare the version number shown with the recommended versions and thus easily check how well-patched you are:

As we've bemoaned before, Adobe's versioning varies wildly by operating system and by browser. There are four numbers in the version string, but only the leftmost is constant throughout all supported platforms.

You need version 11 on every platform, but your full version string will be constructed from the following dizzy set of combinations: 11.{2,3,5}.{31,202,379,502}.{14,139,149,223,262}.

And Adobe's updater is still as anti-social as ever, at least on my Mac.

I don't let Flash update itself, preferring to be notified or to check for myself when I hear there's something available, like now.

That usually means opening the handy About page mentioned above, and, when needed, using the Flash Player preference pane in System Preferences:

Adobe's update does rather take over at this point, forcing me to shut down a raft of applications, which it doesn't re-open for me afterwards. (If I don't let it do so, and want to wait to finish the update later, it downloads the whole update again, even if it's the same version it fetched before.)

And when it's done, it's always dead keen to get me to reconsider the business of automatic upgrades, which I presume also means automatically force-closing my applications:

Maybe I'm a bit old fashioned, but I prefer to pick the moment for my updates, especially as I use a variety of networks at a variety of costs.

Despite these minor gripes, though, finding out what's changed in Flash, and whether I need to upgrade, is pretty easy these days.

And getting the update is easy enough, if you overlook the force-close of your applications.

Over to you...

, , , , , , ,

You might like

16 Responses to Adobe patches Flash - heads off in-the-wild attacks against Windows and Apple users

  1. OS X's Flash updating looks light years away from the Windows update. Windows users need to update for each individual browser, and Chrome users are stuck waiting for Google to issue the next version.

    And, of course, Adobe -- just like Oracle, wants to bundle software with the download from their web site for a mandatory security patch (in this case Chrome & the Google Toolbar)

    • Paul Ducklin · 973 days ago

      If you use the updater (even if you do it unautomatically like me), there's no foistware.

      So the silver lining is that once you've installed without the addon blubber, the updates (at least on the Mac :-) leave you unblubbered.

      • MikeP_UK · 973 days ago

        Oh Yes it does! It tries to foist McAfee Security scanner on you! You can, of course, reject that and I personally would advise everyone to avoid that software.

      • MikeP_UK · 973 days ago

        In IE8 it offers Google Chrome! - which is foistware in my book.

      • JimboC_Security · 973 days ago

        Paul was referring to the auto-updater within Flash does not install additional un-wanted software.

        You're correct MikeP, obtaining the update for IE via:

        offers Chrome.

        If you download the update from:

        you only get the update and nothing else.

        I have the above link for backup in case I need to update manually but I haven't needed to this time.

        I hope this helps. Thank you.

    • JimboC_Security · 973 days ago

      Hi pogue25,

      That’s true Windows users do have to patch each browser plugin architecture e.g. ActiveX and Plugin. However if you have automatic updates for Flash Player enabled, both are installed one after the other (usually with a 1 hour gap between each). This is how it works for me.

      However the automatic updater is not perfect as I have noted previously, here is the link to my comments in the past:

      In summary, the auto updater only updates within 24 hours if the Flash Player version stays the same e.g. 11.5.502.146 to 11.5.502.149. If the version number had been 11.6, the update would be applied, just quite a few days (up to 1 week) from now.

      The auto updater saves me time since almost all the time I only need to check the updates have applied. If they haven’t I can apply the updates manually in a few seconds.

      I agree with Paul’s approach of notification of updates especially on metered data connections. We each need to find what works best for us and stick to it.


      • Richard · 973 days ago

        I have the Windows version of the Flash automatic updater enabled, but I have yet to see it update anything, let alone automatically!

        Even now, if I manually run the Flash Player Update Service, it does nothing; the version stays at 11.5.502.146, with no attempt to apply the update.

        I guess Adobe just want another chance to try to trick me into installing some random junk bundled with their critical update.

        • JimboC_Security · 973 days ago

          Hi Richard,

          That’s also true, opening Flash Player from the Control Panel and pressing the Check Now button does not update Flash Player. It simply opens the About page that Paul suggested bookmarking.

          As Paul mentioned, there is no foistware i.e. unwanted software bundled when you auto update or choose to be notified of updates. If there was any extra software I would have mentioned it in my comment above. I despise such included extras and would never let anyone install them unknowingly.

          Thank you.

        • JimboC_Security · 973 days ago

          Hi Richard,

          As noted in the following Adobe forum post, you may need to restart your computer to see any notification of the update (if you have your update setting set to notify).

          If you still continue to have any issues with the updater not updating for you, you can seek assistance on the Adobe Flash Player forum:

          I hope this helps. Thank you.

        • JimboC_Security · 973 days ago

          I left my 2x XP SP3 test virtual machines running all of last night and today in order for them to auto-update Flash Player.

          Upon arriving home and checking to see if the update had worked, the time stamps on the files and in the install log shows they did so after 5 PM GMT today. All of my Windows 7 PCs updated last night.

          Not sure why the discrepancy between the operating systems but the auto-update did its job.

  2. TED · 973 days ago

    I love your comment on how some Mac owners think their precious OS X/Unix is SO safe and in the league with OpenBSD and whine when you comment how vulnerable their Mac is. I am a Mac person, and have had many back and forths with some people who think they know Mac security and think that the Mac would ALWAYS prompt you when something wanted to load, even 100% of malware. They seem to forget there is authentication by-pass malware out there. The Mac, it really IS security through obscurity. Just don't tell "them", they will start to whine.

    • Paul Ducklin · 973 days ago

      It's also worth remembering that:

      * Vanilla Mac malware (i.e. malware that doesn't install via a drive-by) doesn't need to ask for your password. Sure, it can't install kernel drivers, and it can't install for all users on the system...but it can still be malware.

      * Most Mac users are probably more accustomed to typing in their password during installs or updates than they'll admit. The Flash updater, for example, asks for it. So it's not quite as unusual or as exceptional as to be the sort of rarity you'd immediately become suspicious of.

  3. Pete Cooper · 973 days ago

    Long-time Mac user here. How do you know if someone has a Mac? They tell you. Ho ho.

    I started my day today with the task of updating Flash. It didn't go well, at all:

    As of now, I don't have Flash installed. At all. I strikes me that I might be one of those dull folk that don't _need_ Flash in their Internet browsers. I'll know more in a few days, of course, having no doubt invented new swear words as I rageflail across Flash-infested web pages.

    Right now, the only Flash-only feature I think I'll actively miss is Google Street View. This probably says more about my less-than-adventurous browsing habits than anything else. Thank goodness the porn industry is embracing HTML5 video, eh?

  4. MikeP_UK · 973 days ago

    When running the update on Firefox, Safari and IE8, it offered foistware. Only on Opera did it not offer anything 'extra'.

  5. Nigel · 973 days ago

    I totally agree on the YYYY-XX numbering. In fact, I’d rather everyone adopted a standardized YYYY-MM-DD dating system. It makes logical sense, going from the more general (year) to the more specific (date). The further into the future we go, the thing we'll most likely need to know first when looking back into the past is the year first, the month second, the date third.

    As for Mac users being more clueless about security than those who use other platforms, I often wonder whether that's really true, or whether it's a perception that's left over from the days of Apple's "I'm a Mac; I'm a PC" ad campaign. After all, there are still vastly more non-Mac users. So, even if the percentage of Mac users who are clueless is higher than the percentage of clueless users of other platforms, it doesn't seem likely that their numbers are numerically larger.

    In any case, with the increasing trend toward drive-by and other kinds of attacks that are not platform-specific, it's certainly true that no user can afford to be clueless or complacent about security. It's the bad guys against everybody now, and we're all in this together.

  6. Timothy · 973 days ago

    Can we get some specifics on exactly what this attack looks like form a Mac perspective?
    What is it actually doing/installing?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog